Category: Usability

Ian Grigg on SSL

Ian Grigg has a great page on the SSL industry (really the “certification authority” industry.) Worth reading.

The topic reminds me of an essay, I think from Nick Szabo, on the use of language and terminology within the security industry to distort thinking. (The bit I remember discussed the use of “certification authorities,” self-declared.) I’m having trouble finding it. Can anyone help?

Amazon (3 Comments on SteveC)

Something about a post by Steve got to me…

Whenever amazon comes up in conversation I tell people how particularly behind they are but I don’t think I get the point across.

Who does better? I find that it always works better to say who does well, rather than who does poorly. Let people figure out the latter on their own.

Take a design perspective on amazon. Their website is basically crap. It has accreted so much its like a ship covered in barnacles with the hull removed – you can use the shell of barnacles itself to sail upon. Consider the simple task of finding recommendations of items to buy. You’d think they’d subtract items you have bought from them or items already on your wishlist from that, but no. Its such a simple thing, the kind of thing you don’t want them to miss. The kind of thing Apple would pick up on but Microsoft not.

Do they not have that? For a while the US site had a “I already have this” checkbox…I never checked it because its none of their business. I mind telling them what I own and I mind their assumption that if I own it I like it, more than I mind seeing extra items in the suggestion box.

And finally, with regard to the “smell of desperation,” if I can sell you a credit card at 12%, borrow money from the fed at 2, and pay someone else 5% to manage the accounts, then I’m making a risk free 5% on my money. (I don’t know if I can offload management and non-payment risk at the same time.) Now, that’s not a brilliant return, but given that Amazon has chosen to hold onto a lot of cash, making a low risk 5% seems like a fine bit of financial engineering.

"Getting nothing wrong is for the uninspired"

Nat has a typically insightful post inspired by Muine, a radical re-think of what a music player on your computer should do.

Why would those things be there? Because every other music app has those features, and if you’re building a music tool, you’ve got to have them too. Only, somehow, you’ve got to do them better than everyone else. How could you possibly put out a music player without the ability to burn CDs from a playlist? Or without a five-star rating system like Windows Media Player? Are you paying any attention to what’s going on?

Now, if only his blog had labels on posts, (instead of days), comments, and maybe some sort of trackback feature…

Piscitello on Bugtraq

My frustration level with bug-traq increases in direct proportion to the frequency at which wannabes report vulnerabilities on software that has limited consumption and little business on a business network. I finally contacted some of the wannabes. I probed each for more specifics than the original bug disclosure:

I think that Dave has a valid point here, but not all interesting security bugs are on corporate networks. A no-credential overflow in the new Doom, for example, would create tens of thousands of new zombie machines, and is broadly relevant. (Not to mention the number of work machines used for blowing off steam after hours. In violation of policy of course.)

I’m curious: If we want these bug hunters to be more useful to us, how can we encourage them to find better bugs?

[Update: More in response to Pete Lindstrom’s comments in a Nov 13 post.]

I wonder what this means?

I’m trying to submit my comments on Secure Flight.

When I try to upload my file to http://dmses.dot.gov/submit/ProcessES.cfm, I’m told:

An error occured while attempting to upload your comment
[Microsoft][ODBC driver for Oracle][Oracle]ORA-01401: inserted value too large for column

I’ve submitted a request for help via the provided link.

Organization in the way: how decentralization hobbles …

Another interesting article from Peter Merholz closes with:

Until now, user experience efforts have been focused on building teams that practice user-centered design (UCD). However, researchers at User Interface Engineering recently discovered that the size of an organization’s UCD practice is somewhat inversely proportional to the site’s usability. You read that right: Companies that invest in usability seem to be creating marginally worse products. If you consider the problem of design in modern organizations, there’s a clear explanation for this seeming oxymoron. The more a company invests in UCD, the more likely it is to create a separate UCD group or department. This group then plays the role of “interface cop,” reviewing everything before it goes out. Of course, this bottlenecks development processes; thus, the UCD department becomes a point of pain to route around.

You can just drop in “security” for “UCD” and I bet the same thing will hold. Too many security groups are in the role of gatekeeper, not collaborator. They are charged with poor goals such as “no break-ins,” which are hard to evaluate, hard to tie to ROI, and may miss larger issues, such as phishing.

One of the better groups I know has the title “Loss Prevention” on the org chart. Names are powerful things, as are goals. Choose them carefully.

"Metadata for the masses"

In “Metadata for the masses,” Peter Merholz presents an interesting idea, which is build a classification scheme from free-form data that users apply. He points to Flikr’s “Cameraphone” category, which would probably not exist if there was only a pull-down list.

He also points up problems: Many categories for one thing (nyc, NewYork, NewYorkCity), one category that means many things (“Flow, for instance, can either mean optimal creative experience, or the movement of a fluid,”), and categorizations that are wrong.

I think there’s a tie here to memes, or ideas which encourage you to adapt them. If I see a tag which strikes me, is evocative to me, or I see as useful, I’m likely to use it myself. If I create a tag which I find evocative, but no one else does, (say, “Bastiat-ic”) its unlikely to get picked up. I am a big fan of evolutionary, or memetic systems like this, and am sorely tempted to try to include it in my project, but the goal of that project isn’t actually to create a taxonomy, its to create a useful naming scheme. I think a taxonomy is part of that, but others who get a say in the final analysis disagree, and so I’d like to focus on getting a taxonomic name space, rather than a cool evolutionary method for creating it.

(Via Nudecybot. Oh, and its too bad that there’s no RSS on Merholz’s page. I’d like to see their essays, but not their “appearance dates and other news.”)

Notational Velocity

Andrew Stewart pointed me to Notational Velocity, an interesting little note taking app. Its a little disconcerting at first, because you only have one note area, and the way to create a new note is to just overwrite the old title. (There’s a menu item to rename something.)

But worth checking out if you’re a mac user. And the photoshop on the page is pretty cute.

Navigation